Skip to content

Commit

Permalink
Update all Keycloak examples and e2e tests to work with Keycloak vers…
Browse files Browse the repository at this point in the history
…ion 20.0

+ add some screenshots to a user guide that uses the new Keycloak version
  • Loading branch information
guicassolato committed Oct 26, 2023
1 parent 422f175 commit 91d587e
Show file tree
Hide file tree
Showing 22 changed files with 82 additions and 77 deletions.
4 changes: 2 additions & 2 deletions api/v1beta2/auth_config_conversion_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -344,7 +344,7 @@ func authConfig() *AuthConfig {
"credentialsRef": {
"name": "talker-api-uma-credentials"
},
"endpoint": "http://keycloak.authorino.svc.cluster.local:8080/auth/realms/kuadrant"
"endpoint": "http://keycloak.authorino.svc.cluster.local:8080/realms/kuadrant"
},
"when": [
{
Expand Down Expand Up @@ -879,7 +879,7 @@ func hubAuthConfig() *v1beta1.AuthConfig {
"credentialsRef": {
"name": "talker-api-uma-credentials"
},
"endpoint": "http://keycloak.authorino.svc.cluster.local:8080/auth/realms/kuadrant"
"endpoint": "http://keycloak.authorino.svc.cluster.local:8080/realms/kuadrant"
},
"when": [
{
Expand Down
10 changes: 5 additions & 5 deletions docs/user-guides/deny-with-redirect-to-login.md
Original file line number Diff line number Diff line change
Expand Up @@ -224,16 +224,16 @@ kubectl port-forward deployment/keycloak 8080:8080 2>&1 >/dev/null &
Create a client:

```sh
curl -H "Authorization: Bearer $(curl http://keycloak:8080/auth/realms/master/protocol/openid-connect/token -s -d 'grant_type=password' -d 'client_id=admin-cli' -d 'username=admin' -d 'password=p' | jq -r .access_token)" \
curl -H "Authorization: Bearer $(curl http://keycloak:8080/realms/master/protocol/openid-connect/token -s -d 'grant_type=password' -d 'client_id=admin-cli' -d 'username=admin' -d 'password=p' | jq -r .access_token)" \
-H 'Content-type: application/json' \
-d '{ "name": "matrix-quotes", "clientId": "matrix-quotes", "publicClient": true, "redirectUris": ["http://matrix-quotes.127.0.0.1.nip.io:8000/auth*"], "enabled": true }' \
http://keycloak:8080/auth/admin/realms/kuadrant/clients
http://keycloak:8080/admin/realms/kuadrant/clients
```

### Reconfigure the Matrix Quotes app to use Keycloak's login page

```sh
kubectl set env deployment/matrix-quotes KEYCLOAK_REALM=http://keycloak:8080/auth/realms/kuadrant CLIENT_ID=matrix-quotes
kubectl set env deployment/matrix-quotes KEYCLOAK_REALM=http://keycloak:8080/realms/kuadrant CLIENT_ID=matrix-quotes
```

### Apply the changes to the `AuthConfig`
Expand All @@ -250,7 +250,7 @@ spec:
authentication:
"idp-users":
jwt:
issuerUrl: http://keycloak:8080/auth/realms/kuadrant
issuerUrl: http://keycloak:8080/realms/kuadrant
credentials:
cookie:
name: TOKEN
Expand All @@ -259,7 +259,7 @@ spec:
code: 302
headers:
"Location":
selector: "http://keycloak:8080/auth/realms/kuadrant/protocol/openid-connect/auth?client_id=matrix-quotes&redirect_uri=http://matrix-quotes.127.0.0.1.nip.io:8000/auth?redirect_to={request.path}&scope=openid&response_type=code"
selector: "http://keycloak:8080/realms/kuadrant/protocol/openid-connect/auth?client_id=matrix-quotes&redirect_uri=http://matrix-quotes.127.0.0.1.nip.io:8000/auth?redirect_to={request.path}&scope=openid&response_type=code"
EOF
```

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,7 @@ spec:
selector: auth.identity.metadata.annotations.authorino\.kuadrant\.io/username
"idp-users":
jwt:
issuerUrl: http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/kuadrant
issuerUrl: http://keycloak.keycloak.svc.cluster.local:8080/realms/kuadrant
defaults:
"username":
selector: auth.identity.preferred_username
Expand Down Expand Up @@ -340,7 +340,7 @@ The `AuthConfig` deployed in the previous step is suitable for validating access
Obtain an access token from within the cluster for the user Jane, whose e-mail has been verified:

```sh
ACCESS_TOKEN=$(kubectl -n edge run token --attach --rm --restart=Never -q --image=curlimages/curl -- http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/kuadrant/protocol/openid-connect/token -s -d 'grant_type=password' -d 'client_id=demo' -d 'username=jane' -d 'password=p' | jq -r .access_token)
ACCESS_TOKEN=$(kubectl -n edge run token --attach --rm --restart=Never -q --image=curlimages/curl -- http://keycloak.keycloak.svc.cluster.local:8080/realms/kuadrant/protocol/openid-connect/token -s -d 'grant_type=password' -d 'client_id=demo' -d 'username=jane' -d 'password=p' -d 'scope=openid' | jq -r .access_token)
```

If your Keycloak server is reachable from outside the cluster, feel free to obtain the token directly. Make sure the host name set in the OIDC issuer endpoint in the `AuthConfig` matches the one used to obtain the token and is as well reachable from within the cluster.
Expand All @@ -360,7 +360,7 @@ jwt decode $ACCESS_TOKEN
# "family_name": "Smith",
# "given_name": "Jane",
# "iat": 1638451920,
# "iss": "http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/kuadrant",
# "iss": "http://keycloak.keycloak.svc.cluster.local:8080/realms/kuadrant",
# "jti": "699f6e49-dea4-4f29-ae2a-929a3a18c94b",
# "name": "Jane Smith",
# "preferred_username": "jane",
Expand Down
8 changes: 4 additions & 4 deletions docs/user-guides/envoy-jwt-authn-and-authorino.md
Original file line number Diff line number Diff line change
Expand Up @@ -195,10 +195,10 @@ data:
"@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
providers:
keycloak:
issuer: http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/kuadrant
issuer: http://keycloak.keycloak.svc.cluster.local:8080/realms/kuadrant
remote_jwks:
http_uri:
uri: http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/kuadrant/protocol/openid-connect/certs
uri: http://keycloak.keycloak.svc.cluster.local:8080/realms/kuadrant/protocol/openid-connect/certs
cluster: keycloak
timeout: 5s
cache_duration:
Expand Down Expand Up @@ -391,7 +391,7 @@ The `AuthConfig` deployed in the previous step is suitable for validating access
Obtain an access token from within the cluster for the user John, a non-admin (member) user:

```sh
ACCESS_TOKEN=$(kubectl run token --attach --rm --restart=Never -q --image=curlimages/curl -- http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/kuadrant/protocol/openid-connect/token -s -d 'grant_type=password' -d 'client_id=demo' -d 'username=john' -d 'password=p' | jq -r .access_token)
ACCESS_TOKEN=$(kubectl run token --attach --rm --restart=Never -q --image=curlimages/curl -- http://keycloak.keycloak.svc.cluster.local:8080/realms/kuadrant/protocol/openid-connect/token -s -d 'grant_type=password' -d 'client_id=demo' -d 'username=john' -d 'password=p' -d 'scope=openid' | jq -r .access_token)
```

If your Keycloak server is reachable from outside the cluster, feel free to obtain the token directly. Make sure the host name set in the OIDC issuer endpoint in the `AuthConfig` matches the one used to obtain the token and is as well reachable from within the cluster.
Expand Down Expand Up @@ -429,7 +429,7 @@ curl -H "Authorization: Bearer $ACCESS_TOKEN" \
Obtain an access token with the Keycloak server for Jane, an admin user:

```sh
ACCESS_TOKEN=$(kubectl run token --attach --rm --restart=Never -q --image=curlimages/curl -- http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/kuadrant/protocol/openid-connect/token -s -d 'grant_type=password' -d 'client_id=demo' -d 'username=jane' -d 'password=p' | jq -r .access_token)
ACCESS_TOKEN=$(kubectl run token --attach --rm --restart=Never -q --image=curlimages/curl -- http://keycloak.keycloak.svc.cluster.local:8080/realms/kuadrant/protocol/openid-connect/token -s -d 'grant_type=password' -d 'client_id=demo' -d 'username=jane' -d 'password=p' -d 'scope=openid' | jq -r .access_token)
```

As Jane, consume the API inside the area where the policy applies:
Expand Down
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
6 changes: 3 additions & 3 deletions docs/user-guides/json-pattern-matching-authorization.md
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@ spec:
authentication:
"keycloak-kuadrant-realm":
jwt:
issuerUrl: http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/kuadrant
issuerUrl: http://keycloak.keycloak.svc.cluster.local:8080/realms/kuadrant
authorization:
"email-verified-only":
when:
Expand Down Expand Up @@ -180,7 +180,7 @@ The `AuthConfig` deployed in the previous step is suitable for validating access
Obtain an access token from within the cluster for the user Jane, whose e-mail has been verified:

```sh
ACCESS_TOKEN=$(kubectl run token --attach --rm --restart=Never -q --image=curlimages/curl -- http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/kuadrant/protocol/openid-connect/token -s -d 'grant_type=password' -d 'client_id=demo' -d 'username=jane' -d 'password=p' | jq -r .access_token)
ACCESS_TOKEN=$(kubectl run token --attach --rm --restart=Never -q --image=curlimages/curl -- http://keycloak.keycloak.svc.cluster.local:8080/realms/kuadrant/protocol/openid-connect/token -s -d 'grant_type=password' -d 'client_id=demo' -d 'username=jane' -d 'password=p' -d 'scope=openid' | jq -r .access_token)
```

If your Keycloak server is reachable from outside the cluster, feel free to obtain the token directly. Make sure the host name set in the OIDC issuer endpoint in the `AuthConfig` matches the one used to obtain the token and is as well reachable from within the cluster.
Expand Down Expand Up @@ -208,7 +208,7 @@ curl -H "Authorization: Bearer $ACCESS_TOKEN" \
Obtain an access token with the Keycloak server for Peter:

```sh
ACCESS_TOKEN=$(kubectl run token --attach --rm --restart=Never -q --image=curlimages/curl -- http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/kuadrant/protocol/openid-connect/token -s -d 'grant_type=password' -d 'client_id=demo' -d 'username=peter' -d 'password=p' | jq -r .access_token)
ACCESS_TOKEN=$(kubectl run token --attach --rm --restart=Never -q --image=curlimages/curl -- http://keycloak.keycloak.svc.cluster.local:8080/realms/kuadrant/protocol/openid-connect/token -s -d 'grant_type=password' -d 'client_id=demo' -d 'username=peter' -d 'password=p' -d 'scope=openid' | jq -r .access_token)
```

As Peter, consume the API outside the area where the policy applies:
Expand Down
19 changes: 12 additions & 7 deletions docs/user-guides/keycloak-authorization-services.md
Original file line number Diff line number Diff line change
Expand Up @@ -160,21 +160,21 @@ spec:
authentication:
"keycloak-kuadrant-realm":
jwt:
issuerUrl: http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/kuadrant
issuerUrl: http://keycloak.keycloak.svc.cluster.local:8080/realms/kuadrant
authorization:
"uma":
opa:
rego: |
pat := http.send({"url":"http://talker-api:523b92b6-625d-4e1e-a313-77e7a8ae4e88@keycloak.keycloak.svc.cluster.local:8080/auth/realms/kuadrant/protocol/openid-connect/token","method": "post","headers":{"Content-Type":"application/x-www-form-urlencoded"},"raw_body":"grant_type=client_credentials"}).body.access_token
resource_id := http.send({"url":concat("",["http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/kuadrant/authz/protection/resource_set?uri=",input.context.request.http.path]),"method":"get","headers":{"Authorization":concat(" ",["Bearer ",pat])}}).body[0]
pat := http.send({"url":"http://talker-api:523b92b6-625d-4e1e-a313-77e7a8ae4e88@keycloak.keycloak.svc.cluster.local:8080/realms/kuadrant/protocol/openid-connect/token","method": "post","headers":{"Content-Type":"application/x-www-form-urlencoded"},"raw_body":"grant_type=client_credentials"}).body.access_token
resource_id := http.send({"url":concat("",["http://keycloak.keycloak.svc.cluster.local:8080/realms/kuadrant/authz/protection/resource_set?uri=",input.context.request.http.path]),"method":"get","headers":{"Authorization":concat(" ",["Bearer ",pat])}}).body[0]
scope := lower(input.context.request.http.method)
access_token := trim_prefix(input.context.request.http.headers.authorization, "Bearer ")
default rpt = ""
rpt = access_token { object.get(input.auth.identity, "authorization", {}).permissions }
else = rpt_str {
ticket := http.send({"url":"http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/kuadrant/authz/protection/permission","method":"post","headers":{"Authorization":concat(" ",["Bearer ",pat]),"Content-Type":"application/json"},"raw_body":concat("",["[{\"resource_id\":\"",resource_id,"\",\"resource_scopes\":[\"",scope,"\"]}]"])}).body.ticket
rpt_str := object.get(http.send({"url":"http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/kuadrant/protocol/openid-connect/token","method":"post","headers":{"Authorization":concat(" ",["Bearer ",access_token]),"Content-Type":"application/x-www-form-urlencoded"},"raw_body":concat("",["grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&ticket=",ticket,"&submit_request=true"])}).body, "access_token", "")
ticket := http.send({"url":"http://keycloak.keycloak.svc.cluster.local:8080/realms/kuadrant/authz/protection/permission","method":"post","headers":{"Authorization":concat(" ",["Bearer ",pat]),"Content-Type":"application/json"},"raw_body":concat("",["[{\"resource_id\":\"",resource_id,"\",\"resource_scopes\":[\"",scope,"\"]}]"])}).body.ticket
rpt_str := object.get(http.send({"url":"http://keycloak.keycloak.svc.cluster.local:8080/realms/kuadrant/protocol/openid-connect/token","method":"post","headers":{"Authorization":concat(" ",["Bearer ",access_token]),"Content-Type":"application/x-www-form-urlencoded"},"raw_body":concat("",["grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&ticket=",ticket,"&submit_request=true"])}).body, "access_token", "")
}
allow {
Expand Down Expand Up @@ -206,7 +206,7 @@ The `AuthConfig` deployed in the previous step is suitable for validating access
Obtain an access token from within the cluster for user Jane:

```sh
ACCESS_TOKEN=$(kubectl run token --attach --rm --restart=Never -q --image=curlimages/curl -- http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/kuadrant/protocol/openid-connect/token -s -d 'grant_type=password' -d 'client_id=demo' -d 'username=jane' -d 'password=p' | jq -r .access_token)
ACCESS_TOKEN=$(kubectl run token --attach --rm --restart=Never -q --image=curlimages/curl -- http://keycloak.keycloak.svc.cluster.local:8080/realms/kuadrant/protocol/openid-connect/token -s -d 'grant_type=password' -d 'client_id=demo' -d 'username=jane' -d 'password=p' -d 'scope=openid' | jq -r .access_token)
```

If your Keycloak server is reachable from outside the cluster, feel free to obtain the token directly. Make sure the host name set in the OIDC issuer endpoint in the `AuthConfig` matches the one used to obtain the token and is as well reachable from within the cluster.
Expand All @@ -220,7 +220,12 @@ curl -H "Authorization: Bearer $ACCESS_TOKEN" http://talker-api.127.0.0.1.nip.io
# HTTP/1.1 403 Forbidden
```

As John, log in to http://localhost:8080/auth/realms/kuadrant/account in the web browser (username: `john` / password: `p`), and grant access to the resource `greeting-1` for Jane. A pending permission request by Jane shall exist in the list of John's _Resources_.
As John, log in to http://localhost:8080/realms/kuadrant/account in the web browser (username: `john` / password: `p`), and grant access to the resource `greeting-1` for Jane. A pending permission request by Jane shall exist in the list of John's _Resources_.

![Keycloak Authorization Services](images/keycloak-authorization-services-1.png)
![Keycloak Authorization Services - pending request](images/keycloak-authorization-services-2.png)
![Keycloak Authorization Services - approve](images/keycloak-authorization-services-3.png)


As Jane, try to consume the protected resource `/greetings/1` again:

Expand Down
6 changes: 3 additions & 3 deletions docs/user-guides/oauth2-token-introspection.md
Original file line number Diff line number Diff line change
Expand Up @@ -179,7 +179,7 @@ spec:
authentication:
"keycloak":
oauth2Introspection:
endpoint: http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/kuadrant/protocol/openid-connect/token/introspect
endpoint: http://keycloak.keycloak.svc.cluster.local:8080/realms/kuadrant/protocol/openid-connect/token/introspect
tokenTypeHint: requesting_party_token
credentialsRef:
name: oauth2-token-introspection-credentials-keycloak
Expand Down Expand Up @@ -219,7 +219,7 @@ The `AuthConfig` deployed in the previous step is suitable for validating access
Obtain an access token from within the cluster for the user Jane, whose e-mail has been verified:

```sh
export $(kubectl run token --attach --rm --restart=Never -q --image=curlimages/curl -- http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/kuadrant/protocol/openid-connect/token -s -d 'grant_type=password' -d 'client_id=demo' -d 'username=jane' -d 'password=p' | jq -r '"ACCESS_TOKEN="+.access_token,"REFRESH_TOKEN="+.refresh_token')
export $(kubectl run token --attach --rm --restart=Never -q --image=curlimages/curl -- http://keycloak.keycloak.svc.cluster.local:8080/realms/kuadrant/protocol/openid-connect/token -s -d 'grant_type=password' -d 'client_id=demo' -d 'username=jane' -d 'password=p' -d 'scope=openid' | jq -r '"ACCESS_TOKEN="+.access_token,"REFRESH_TOKEN="+.refresh_token')
```

If your Keycloak server is reachable from outside the cluster, feel free to obtain the token directly. Make sure the host name set in the OIDC issuer endpoint in the `AuthConfig` matches the one used to obtain the token and is as well reachable from within the cluster.
Expand All @@ -234,7 +234,7 @@ curl -H "Authorization: Bearer $ACCESS_TOKEN" http://talker-api.127.0.0.1.nip.io
Revoke the access token and try to consume the API again:

```sh
kubectl run token --attach --rm --restart=Never -q --image=curlimages/curl -- http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/kuadrant/protocol/openid-connect/logout -H "Content-Type: application/x-www-form-urlencoded" -d "refresh_token=$REFRESH_TOKEN" -d 'token_type_hint=requesting_party_token' -u demo:
kubectl run token --attach --rm --restart=Never -q --image=curlimages/curl -- http://keycloak.keycloak.svc.cluster.local:8080/realms/kuadrant/protocol/openid-connect/logout -H "Content-Type: application/x-www-form-urlencoded" -d "refresh_token=$REFRESH_TOKEN" -d 'token_type_hint=requesting_party_token' -u demo:
```

```sh
Expand Down
Loading

0 comments on commit 91d587e

Please sign in to comment.